@drax/identity-back 3.13.0 → 3.15.0

package/dist/security/schemas/PasswordPolicySchema.js

@@ -0,0 +1,18 @@
+import z from "zod";
+const PasswordPolicySchemaBase = z.object({
+    minLength: z.number().int().min(1),
+    maxLength: z.number().int().min(1),
+    requireUppercase: z.boolean(),
+    requireLowercase: z.boolean(),
+    requireNumber: z.boolean(),
+    requireSpecialChar: z.boolean(),
+    disallowSpaces: z.boolean(),
+    preventReuse: z.number().int().min(0),
+    expirationDays: z.number().int().min(1).nullable(),
+});
+const PasswordPolicySchema = PasswordPolicySchemaBase.refine((policy) => policy.maxLength >= policy.minLength, {
+    message: "validation.password.maxLength",
+    path: ["maxLength"]
+});
+const PartialPasswordPolicySchema = PasswordPolicySchemaBase.partial();
+export { PasswordPolicySchema, PartialPasswordPolicySchema };

package/dist/security/services/PasswordPolicyResolver.js

@@ -0,0 +1,21 @@
+import { defaultPasswordPolicy } from "../constants/defaultPasswordPolicy.js";
+import { PartialPasswordPolicySchema, PasswordPolicySchema } from "../schemas/PasswordPolicySchema.js";
+import getPasswordEnvPolicy from "../utils/getPasswordEnvPolicy.js";
+class PasswordPolicyResolver {
+    async resolve(projectContext) {
+        const projectPolicy = await this.getProjectPolicy(projectContext);
+        const envPolicy = getPasswordEnvPolicy();
+        return PasswordPolicySchema.parse({
+            ...defaultPasswordPolicy,
+            ...projectPolicy,
+            ...envPolicy
+        });
+    }
+    async getProjectPolicy(projectContext) {
+        return projectContext?.projectPolicy
+            ? PartialPasswordPolicySchema.parse(projectContext.projectPolicy)
+            : {};
+    }
+}
+export default PasswordPolicyResolver;
+export { PasswordPolicyResolver };

package/dist/security/services/PasswordPolicyService.js

@@ -0,0 +1,147 @@
+import { randomInt } from "crypto";
+import { ZodError } from "zod";
+import { ValidationError, ZodErrorToValidationError } from "@drax/common-back";
+import AuthUtils from "../../utils/AuthUtils.js";
+import PasswordPolicySchemaFactory from "../utils/PasswordPolicySchemaFactory.js";
+class PasswordPolicyService {
+    constructor(resolver, userRepository, userPasswordHistoryService) {
+        this.resolver = resolver;
+        this.userRepository = userRepository;
+        this.userPasswordHistoryService = userPasswordHistoryService;
+    }
+    async getFinalPolicy(projectContext) {
+        return this.resolver.resolve(projectContext);
+    }
+    async getPasswordSchema(projectContext) {
+        const policy = await this.getFinalPolicy(projectContext);
+        return PasswordPolicySchemaFactory.create(policy);
+    }
+    async validatePassword(password, projectContext, options) {
+        const field = options?.field || "password";
+        try {
+            const schema = await this.getPasswordSchema(projectContext);
+            await schema.parseAsync(password);
+        }
+        catch (e) {
+            if (e instanceof ZodError) {
+                const validationError = ZodErrorToValidationError(e, { [field]: password });
+                validationError.errors = validationError.errors.map((error) => ({ ...error, field }));
+                throw validationError;
+            }
+            throw e;
+        }
+        if (options?.userId) {
+            await this.validateBusinessRules(password, options.userId, projectContext, {
+                field,
+                currentPasswordHash: options.currentPasswordHash
+            });
+        }
+    }
+    async generateCompatiblePassword(projectContext) {
+        const policy = await this.getFinalPolicy(projectContext);
+        const uppercaseChars = "ABCDEFGHJKLMNPQRSTUVWXYZ";
+        const lowercaseChars = "abcdefghijkmnopqrstuvwxyz";
+        const numericChars = "23456789";
+        const specialChars = "!@#$%&*_-+=";
+        const fallbackSpecial = policy.disallowSpaces ? "!" : " ";
+        const combinedChars = [
+            uppercaseChars,
+            lowercaseChars,
+            numericChars,
+            policy.requireSpecialChar ? specialChars : "",
+            policy.disallowSpaces ? "" : " "
+        ].join("") || `${uppercaseChars}${lowercaseChars}${numericChars}${fallbackSpecial}`;
+        const chars = [];
+        if (policy.requireUppercase) {
+            chars.push(this.randomChar(uppercaseChars));
+        }
+        if (policy.requireLowercase) {
+            chars.push(this.randomChar(lowercaseChars));
+        }
+        if (policy.requireNumber) {
+            chars.push(this.randomChar(numericChars));
+        }
+        if (policy.requireSpecialChar) {
+            chars.push(this.randomChar(specialChars));
+        }
+        if (!chars.length) {
+            chars.push(this.randomChar(`${uppercaseChars}${lowercaseChars}${numericChars}`));
+        }
+        while (chars.length < policy.minLength) {
+            chars.push(this.randomChar(combinedChars));
+        }
+        const password = this.shuffle(chars).join("").slice(0, policy.maxLength);
+        await this.validatePassword(password, projectContext);
+        return password;
+    }
+    async getPasswordStatus(user, projectContext) {
+        const policy = await this.getFinalPolicy(projectContext);
+        if (!policy.expirationDays) {
+            return { expired: false, expiresAt: null };
+        }
+        const lastPasswordChange = await this.getLastPasswordChangeDate(user);
+        if (!lastPasswordChange) {
+            return { expired: false, expiresAt: null };
+        }
+        const expiresAt = new Date(lastPasswordChange);
+        expiresAt.setDate(expiresAt.getDate() + policy.expirationDays);
+        return {
+            expired: expiresAt.getTime() <= Date.now(),
+            expiresAt
+        };
+    }
+    async recordPassword(userId, passwordHash) {
+        await this.userPasswordHistoryService?.create(userId, passwordHash);
+    }
+    async validateBusinessRules(password, userId, projectContext, options) {
+        const policy = await this.getFinalPolicy(projectContext);
+        if (!policy.preventReuse) {
+            return;
+        }
+        const field = options?.field || "password";
+        const recentHashes = await this.getRecentPasswordHashes(userId, policy.preventReuse, options?.currentPasswordHash);
+        const reused = recentHashes.some((item) => AuthUtils.checkPassword(password, item.passwordHash));
+        if (reused) {
+            throw new ValidationError([{ field, reason: "validation.password.preventReuse" }]);
+        }
+    }
+    async getRecentPasswordHashes(userId, limit, currentPasswordHash) {
+        const recent = await this.userPasswordHistoryService?.findLatestByUserId(userId, limit) || [];
+        const hashes = [...recent];
+        if (currentPasswordHash && !hashes.some((item) => item.passwordHash === currentPasswordHash)) {
+            hashes.unshift({ user: userId, passwordHash: currentPasswordHash });
+        }
+        else if (!currentPasswordHash && this.userRepository) {
+            const user = await this.userRepository.findByIdWithPassword(userId);
+            if (user?.password && !hashes.some((item) => item.passwordHash === user.password)) {
+                hashes.unshift({ user: userId, passwordHash: user.password });
+            }
+        }
+        return hashes.slice(0, limit);
+    }
+    async getLastPasswordChangeDate(user) {
+        if (!user?._id || !this.userPasswordHistoryService) {
+            return user?.updatedAt ? new Date(user.updatedAt) : user?.createdAt ? new Date(user.createdAt) : null;
+        }
+        const latest = await this.userPasswordHistoryService.findLatestByUserId(user._id.toString(), 1);
+        if (latest[0]?.createdAt) {
+            return new Date(latest[0].createdAt);
+        }
+        return user?.updatedAt ? new Date(user.updatedAt) : user?.createdAt ? new Date(user.createdAt) : null;
+    }
+    randomChar(source) {
+        return source[randomInt(0, source.length)];
+    }
+    shuffle(chars) {
+        const items = [...chars];
+        for (let i = items.length - 1; i > 0; i -= 1) {
+            const j = randomInt(0, i + 1);
+            const temp = items[i];
+            items[i] = items[j];
+            items[j] = temp;
+        }
+        return items;
+    }
+}
+export default PasswordPolicyService;
+export { PasswordPolicyService };

package/dist/security/utils/PasswordPolicySchemaFactory.js

@@ -0,0 +1,36 @@
+import z from "zod";
+class PasswordPolicySchemaFactory {
+    static create(policy) {
+        const cacheKey = JSON.stringify(policy);
+        const cached = this.cache.get(cacheKey);
+        if (cached) {
+            return cached;
+        }
+        let schema = z.string({ error: "validation.required" })
+            .min(1, "validation.required")
+            .min(policy.minLength, "validation.password.minLength")
+            .max(policy.maxLength, "validation.password.maxLength");
+        if (policy.requireUppercase) {
+            schema = schema.regex(/[A-Z]/, "validation.password.requireUppercase");
+        }
+        if (policy.requireLowercase) {
+            schema = schema.regex(/[a-z]/, "validation.password.requireLowercase");
+        }
+        if (policy.requireNumber) {
+            schema = schema.regex(/[0-9]/, "validation.password.requireNumber");
+        }
+        if (policy.requireSpecialChar) {
+            schema = schema.regex(/[^A-Za-z0-9]/, "validation.password.requireSpecialChar");
+        }
+        if (policy.disallowSpaces) {
+            schema = schema.refine((value) => !/\s/.test(value), {
+                message: "validation.password.disallowSpaces"
+            });
+        }
+        this.cache.set(cacheKey, schema);
+        return schema;
+    }
+}
+PasswordPolicySchemaFactory.cache = new Map();
+export default PasswordPolicySchemaFactory;
+export { PasswordPolicySchemaFactory };

package/dist/security/utils/getPasswordEnvPolicy.js

@@ -0,0 +1,19 @@
+import { DraxConfig } from "@drax/common-back";
+import PasswordPolicyConfig from "../../config/PasswordPolicyConfig.js";
+import { PartialPasswordPolicySchema } from "../schemas/PasswordPolicySchema.js";
+function getPasswordEnvPolicy() {
+    const envPolicy = {
+        minLength: DraxConfig.getOrLoad(PasswordPolicyConfig.MinLength, "number"),
+        maxLength: DraxConfig.getOrLoad(PasswordPolicyConfig.MaxLength, "number"),
+        requireUppercase: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireUppercase, "boolean"),
+        requireLowercase: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireLowercase, "boolean"),
+        requireNumber: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireNumber, "boolean"),
+        requireSpecialChar: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireSpecialChar, "boolean"),
+        disallowSpaces: DraxConfig.getOrLoad(PasswordPolicyConfig.DisallowSpaces, "boolean"),
+        preventReuse: DraxConfig.getOrLoad(PasswordPolicyConfig.PreventReuse, "number"),
+        expirationDays: DraxConfig.getOrLoad(PasswordPolicyConfig.ExpirationDays, "number")
+    };
+    return PartialPasswordPolicySchema.parse(Object.fromEntries(Object.entries(envPolicy).filter(([, value]) => value !== undefined)));
+}
+export default getPasswordEnvPolicy;
+export { getPasswordEnvPolicy };

package/dist/services/PasswordPolicyService.js

@@ -0,0 +1,147 @@
+import { randomInt } from "crypto";
+import { ZodError } from "zod";
+import { ValidationError, ZodErrorToValidationError } from "@drax/common-back";
+import AuthUtils from "../utils/AuthUtils.js";
+import PasswordPolicySchemaFactory from "../utils/PasswordPolicySchemaFactory.js";
+class PasswordPolicyService {
+    constructor(resolver, userRepository, userPasswordHistoryService) {
+        this.resolver = resolver;
+        this.userRepository = userRepository;
+        this.userPasswordHistoryService = userPasswordHistoryService;
+    }
+    async getFinalPolicy() {
+        return this.resolver.resolve();
+    }
+    async getPasswordSchema() {
+        const policy = await this.getFinalPolicy();
+        return PasswordPolicySchemaFactory.create(policy);
+    }
+    async validatePassword(password, options) {
+        const field = options?.field || "password";
+        try {
+            const schema = await this.getPasswordSchema();
+            await schema.parseAsync(password);
+        }
+        catch (e) {
+            if (e instanceof ZodError) {
+                const validationError = ZodErrorToValidationError(e, { [field]: password });
+                validationError.errors = validationError.errors.map((error) => ({ ...error, field }));
+                throw validationError;
+            }
+            throw e;
+        }
+        if (options?.userId) {
+            await this.validateReuse(password, options.userId, {
+                field,
+                currentPasswordHash: options.currentPasswordHash
+            });
+        }
+    }
+    async generateCompatiblePassword() {
+        const policy = await this.getFinalPolicy();
+        const uppercaseChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+        const lowercaseChars = "abcdefghijkmnopqrstuvwxyz";
+        const numericChars = "0123456789";
+        const specialChars = "!@#$%&*_-+=";
+        const fallbackSpecial = policy.disallowSpaces ? "!" : " ";
+        const combinedChars = [
+            uppercaseChars,
+            lowercaseChars,
+            numericChars,
+            policy.requireSpecialChar ? specialChars : "",
+            policy.disallowSpaces ? "" : " "
+        ].join("") || `${uppercaseChars}${lowercaseChars}${numericChars}${fallbackSpecial}`;
+        const chars = [];
+        if (policy.requireUppercase) {
+            chars.push(this.randomChar(uppercaseChars));
+        }
+        if (policy.requireLowercase) {
+            chars.push(this.randomChar(lowercaseChars));
+        }
+        if (policy.requireNumber) {
+            chars.push(this.randomChar(numericChars));
+        }
+        if (policy.requireSpecialChar) {
+            chars.push(this.randomChar(specialChars));
+        }
+        if (!chars.length) {
+            chars.push(this.randomChar(`${uppercaseChars}${lowercaseChars}${numericChars}`));
+        }
+        while (chars.length < policy.minLength) {
+            chars.push(this.randomChar(combinedChars));
+        }
+        const password = this.shuffle(chars).join("").slice(0, policy.maxLength);
+        await this.validatePassword(password);
+        return password;
+    }
+    async getPasswordExpiration(user) {
+        const policy = await this.getFinalPolicy();
+        if (!policy.expirationDays) {
+            return { expired: false, expiresAt: null };
+        }
+        const lastPasswordChange = await this.getLastPasswordChangeDate(user);
+        if (!lastPasswordChange) {
+            return { expired: false, expiresAt: null };
+        }
+        const expiresAt = new Date(lastPasswordChange);
+        expiresAt.setDate(expiresAt.getDate() + policy.expirationDays);
+        return {
+            expired: expiresAt.getTime() <= Date.now(),
+            expiresAt
+        };
+    }
+    async recordPassword(userId, passwordHash) {
+        await this.userPasswordHistoryService?.create(userId, passwordHash);
+    }
+    async validateReuse(password, userId, options) {
+        const policy = await this.getFinalPolicy();
+        if (!policy.preventReuse) {
+            return;
+        }
+        const field = options?.field || "password";
+        const recentHashes = await this.getRecentPasswordHashes(userId, policy.preventReuse, options?.currentPasswordHash);
+        const reused = recentHashes.some((item) => AuthUtils.checkPassword(password, item.passwordHash));
+        if (reused) {
+            throw new ValidationError([{ field, reason: "validation.password.preventReuse" }]);
+        }
+    }
+    async getRecentPasswordHashes(userId, limit, currentPasswordHash) {
+        const recent = await this.userPasswordHistoryService?.findLatestByUserId(userId, limit) || [];
+        const hashes = [...recent];
+        if (currentPasswordHash && !hashes.some((item) => item.passwordHash === currentPasswordHash)) {
+            hashes.unshift({ user: userId, passwordHash: currentPasswordHash });
+        }
+        else if (!currentPasswordHash && this.userRepository) {
+            const user = await this.userRepository.findByIdWithPassword(userId);
+            if (user?.password && !hashes.some((item) => item.passwordHash === user.password)) {
+                hashes.unshift({ user: userId, passwordHash: user.password });
+            }
+        }
+        return hashes.slice(0, limit);
+    }
+    async getLastPasswordChangeDate(user) {
+        if (!user?._id || !this.userPasswordHistoryService) {
+            return user?.updatedAt ? new Date(user.updatedAt) : user?.createdAt ? new Date(user.createdAt) : null;
+        }
+        const latest = await this.userPasswordHistoryService.findLatestByUserId(user._id.toString(), 1);
+        if (latest[0]?.createdAt) {
+            return new Date(latest[0].createdAt);
+        }
+        return user?.updatedAt ? new Date(user.updatedAt) : user?.createdAt ? new Date(user.createdAt) : null;
+    }
+    randomChar(source) {
+        return source[randomInt(0, source.length)];
+    }
+    shuffle(chars) {
+        const items = [...chars];
+        for (let i = items.length - 1; i > 0; i -= 1) {
+            const j = randomInt(0, i + 1);
+            const temp = items[i];
+            items[i] = items[j];
+            items[j] = temp;
+        }
+        return items;
+    }
+}
+export default PasswordPolicyService;
+export { PasswordPolicyService };

package/dist/services/UserPasswordHistoryService.js

@@ -0,0 +1,18 @@
+class UserPasswordHistoryService {
+    constructor(repository) {
+        this.repository = repository;
+    }
+    async create(userId, passwordHash) {
+        return this.repository.create({
+            user: userId,
+            passwordHash
+        });
+    }
+    async findLatestByUserId(userId, limit) {
+        if (limit <= 0) {
+            return [];
+        }
+        return this.repository.findLatestByUserId(userId, limit);
+    }
+}
+export default UserPasswordHistoryService;

package/dist/services/UserService.js

@@ -7,9 +7,13 @@ import { AbstractService } from "@drax/crud-back";
 import { randomUUID } from "crypto";
 import UserLoginFailServiceFactory from "../factory/UserLoginFailServiceFactory.js";
 import UserSessionServiceFactory from "../factory/UserSessionServiceFactory.js";
+import PasswordPolicyServiceFactory from "../factory/PasswordPolicyServiceFactory.js";
+import UserPasswordHistoryServiceFactory from "../factory/UserPasswordHistoryServiceFactory.js";
 class UserService extends AbstractService {
-    constructor(userRepository) {
+    constructor(userRepository, passwordPolicyService = PasswordPolicyServiceFactory(), userPasswordHistoryService = UserPasswordHistoryServiceFactory()) {
         super(userRepository, UserBaseSchema);
+        this.passwordPolicyService = passwordPolicyService;
+        this.userPasswordHistoryService = userPasswordHistoryService;
         this._repository = userRepository;
     }
     async auth(username, password, { userAgent, ip }) {
@@ -60,7 +64,7 @@ class UserService extends AbstractService {
         console.log("auth email", email);
         user = await this.findByEmail(email);
         if (!user && createIfNotFound) {
-            userData.password = userData.password ? userData.password : randomUUID();
+            userData.password = userData.password ? userData.password : await this.passwordPolicyService.generateCompatiblePassword();
             userData.active = userData.active === undefined ? true : userData.active;
             user = await this.create(userData);
         }
@@ -85,8 +89,14 @@ class UserService extends AbstractService {
     async changeUserPassword(userId, newPassword) {
         const user = await this._repository.findByIdWithPassword(userId);
         if (user) {
-            newPassword = AuthUtils.hashPassword(newPassword);
-            await this._repository.changePassword(userId, newPassword);
+            await this.passwordPolicyService.validatePassword(newPassword, {
+                field: 'newPassword',
+                userId,
+                currentPasswordHash: user.password
+            });
+            const newPasswordHash = AuthUtils.hashPassword(newPassword);
+            await this._repository.changePassword(userId, newPasswordHash);
+            await this.userPasswordHistoryService.create(userId, newPasswordHash);
             delete user.password;
             return user;
         }
@@ -101,8 +111,14 @@ class UserService extends AbstractService {
                 throw new ValidationError([{ field: 'newPassword', reason: 'validation.password.currentDifferent' }]);
             }
             if (AuthUtils.checkPassword(currentPassword, user.password)) {
-                newPassword = AuthUtils.hashPassword(newPassword);
-                await this._repository.changePassword(userId, newPassword);
+                await this.passwordPolicyService.validatePassword(newPassword, {
+                    field: 'newPassword',
+                    userId,
+                    currentPasswordHash: user.password
+                });
+                const newPasswordHash = AuthUtils.hashPassword(newPassword);
+                await this._repository.changePassword(userId, newPasswordHash);
+                await this.userPasswordHistoryService.create(userId, newPasswordHash);
                 delete user.password;
                 return user;
             }
@@ -145,8 +161,14 @@ class UserService extends AbstractService {
         try {
             const user = await this._repository.findByRecoveryCode(recoveryCode);
             if (user && user.active) {
-                newPassword = AuthUtils.hashPassword(newPassword);
-                await this._repository.changePassword(user._id, newPassword);
+                await this.passwordPolicyService.validatePassword(newPassword, {
+                    field: 'newPassword',
+                    userId: user._id.toString(),
+                    currentPasswordHash: user.password
+                });
+                const newPasswordHash = AuthUtils.hashPassword(newPassword);
+                await this._repository.changePassword(user._id, newPasswordHash);
+                await this.userPasswordHistoryService.create(user._id.toString(), newPasswordHash);
                 await this._repository.updatePartial(user._id, { recoveryCode: null });
                 return user;
             }
@@ -210,8 +232,11 @@ class UserService extends AbstractService {
             userData.password = userData?.password.trim();
             userData.tenant = userData.tenant === "" ? null : userData.tenant;
             await UserCreateSchema.parseAsync(userData);
-            userData.password = AuthUtils.hashPassword(userData.password.trim());
+            await this.passwordPolicyService.validatePassword(userData.password);
+            const passwordHash = AuthUtils.hashPassword(userData.password.trim());
+            userData.password = passwordHash;
             const user = await this._repository.create(userData);
+            await this.userPasswordHistoryService.create(user._id.toString(), passwordHash);
             return user;
         }
         catch (e) {

package/dist/setup/LoadIdentityConfigFromEnv.js

@@ -1,5 +1,6 @@
 import { DraxConfig } from "@drax/common-back";
 import IdentityConfig from "../config/IdentityConfig.js";
+import PasswordPolicyConfig from "../config/PasswordPolicyConfig.js";
 function LoadIdentityConfigFromEnv() {
     DraxConfig.set(IdentityConfig.JwtSecret, process.env[IdentityConfig.JwtSecret]);
     DraxConfig.set(IdentityConfig.JwtExpiration, process.env[IdentityConfig.JwtExpiration]);
@@ -7,6 +8,15 @@ function LoadIdentityConfigFromEnv() {
     DraxConfig.set(IdentityConfig.ApiKeySecret, process.env[IdentityConfig.ApiKeySecret]);
     DraxConfig.set(IdentityConfig.RbacCacheTTL, process.env[IdentityConfig.RbacCacheTTL]);
     DraxConfig.set(IdentityConfig.AvatarDir, process.env[IdentityConfig.AvatarDir]);
+    DraxConfig.set(PasswordPolicyConfig.MinLength, process.env[PasswordPolicyConfig.MinLength]);
+    DraxConfig.set(PasswordPolicyConfig.MaxLength, process.env[PasswordPolicyConfig.MaxLength]);
+    DraxConfig.set(PasswordPolicyConfig.RequireUppercase, process.env[PasswordPolicyConfig.RequireUppercase]);
+    DraxConfig.set(PasswordPolicyConfig.RequireLowercase, process.env[PasswordPolicyConfig.RequireLowercase]);
+    DraxConfig.set(PasswordPolicyConfig.RequireNumber, process.env[PasswordPolicyConfig.RequireNumber]);
+    DraxConfig.set(PasswordPolicyConfig.RequireSpecialChar, process.env[PasswordPolicyConfig.RequireSpecialChar]);
+    DraxConfig.set(PasswordPolicyConfig.DisallowSpaces, process.env[PasswordPolicyConfig.DisallowSpaces]);
+    DraxConfig.set(PasswordPolicyConfig.PreventReuse, process.env[PasswordPolicyConfig.PreventReuse]);
+    DraxConfig.set(PasswordPolicyConfig.ExpirationDays, process.env[PasswordPolicyConfig.ExpirationDays]);
 }
 export default LoadIdentityConfigFromEnv;
 export { LoadIdentityConfigFromEnv };

package/dist/setup/SetProjectPasswordPolicy.js

@@ -0,0 +1,7 @@
+import PasswordPolicyResolverFactory from "../factory/PasswordPolicyResolverFactory.js";
+function SetProjectPasswordPolicy(projectPasswordPolicy) {
+    const passwordPolicyResolver = PasswordPolicyResolverFactory();
+    passwordPolicyResolver.setProjectPolicy(projectPasswordPolicy);
+}
+export default SetProjectPasswordPolicy;
+export { SetProjectPasswordPolicy };

package/dist/utils/PasswordPolicySchemaFactory.js

@@ -0,0 +1,36 @@
+import z from "zod";
+class PasswordPolicySchemaFactory {
+    static create(policy) {
+        const cacheKey = JSON.stringify(policy);
+        const cached = this.cache.get(cacheKey);
+        if (cached) {
+            return cached;
+        }
+        let schema = z.string({ error: "validation.required" })
+            .min(1, "validation.required")
+            .min(policy.minLength, "validation.password.minLength")
+            .max(policy.maxLength, "validation.password.maxLength");
+        if (policy.requireUppercase) {
+            schema = schema.regex(/[A-Z]/, "validation.password.requireUppercase");
+        }
+        if (policy.requireLowercase) {
+            schema = schema.regex(/[a-z]/, "validation.password.requireLowercase");
+        }
+        if (policy.requireNumber) {
+            schema = schema.regex(/[0-9]/, "validation.password.requireNumber");
+        }
+        if (policy.requireSpecialChar) {
+            schema = schema.regex(/[^A-Za-z0-9]/, "validation.password.requireSpecialChar");
+        }
+        if (policy.disallowSpaces) {
+            schema = schema.refine((value) => !/\s/.test(value), {
+                message: "validation.password.disallowSpaces"
+            });
+        }
+        this.cache.set(cacheKey, schema);
+        return schema;
+    }
+}
+PasswordPolicySchemaFactory.cache = new Map();
+export default PasswordPolicySchemaFactory;
+export { PasswordPolicySchemaFactory };

package/dist/utils/getPasswordEnvPolicy.js

@@ -0,0 +1,19 @@
+import { DraxConfig } from "@drax/common-back";
+import PasswordPolicyConfig from "../config/PasswordPolicyConfig.js";
+import { PartialPasswordPolicySchema } from "../schemas/PasswordPolicySchema.js";
+function getPasswordEnvPolicy() {
+    const envPolicy = {
+        minLength: DraxConfig.getOrLoad(PasswordPolicyConfig.MinLength, "number"),
+        maxLength: DraxConfig.getOrLoad(PasswordPolicyConfig.MaxLength, "number"),
+        requireUppercase: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireUppercase, "boolean"),
+        requireLowercase: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireLowercase, "boolean"),
+        requireNumber: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireNumber, "boolean"),
+        requireSpecialChar: DraxConfig.getOrLoad(PasswordPolicyConfig.RequireSpecialChar, "boolean"),
+        disallowSpaces: DraxConfig.getOrLoad(PasswordPolicyConfig.DisallowSpaces, "boolean"),
+        preventReuse: DraxConfig.getOrLoad(PasswordPolicyConfig.PreventReuse, "number"),
+        expirationDays: DraxConfig.getOrLoad(PasswordPolicyConfig.ExpirationDays, "number")
+    };
+    return PartialPasswordPolicySchema.parse(Object.fromEntries(Object.entries(envPolicy).filter(([, value]) => value !== undefined)));
+}
+export default getPasswordEnvPolicy;
+export { getPasswordEnvPolicy };

package/docs/password-policy.md

@@ -0,0 +1,33 @@
+# Password Policy
+
+La policy efectiva se resuelve con esta prioridad:
+
+```ts
+const finalPolicy = {
+  ...defaultPasswordPolicy,
+  ...projectPolicy,
+  ...envPolicy
+}
+```
+
+## Fuentes
+
+- `defaultPasswordPolicy`: `src/security/constants/defaultPasswordPolicy.ts`
+- `projectPolicy`: override opcional in-memory vía `projectContext`
+- `envPolicy`: variables declaradas en `src/config/PasswordPolicyConfig.ts`
+
+## Endpoint
+
+- `GET /api/auth/password-policy`
+
+Devuelve la policy efectiva para que frontend pueda mostrar requisitos de password antes de enviar formularios.
+
+## Validación
+
+- Formato: `PasswordPolicySchemaFactory` genera un `ZodType<string>` dinámico
+- Negocio: `PasswordPolicyService` aplica `preventReuse` y expone base para `expirationDays`
+
+## Notas
+
+- `preventReuse` usa persistencia en `user_password_history`
+- `expirationDays` ya forma parte de la policy efectiva y del servicio, pero en esta primera versión queda informativo; no bloquea login todavía

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "3.13.0",
+  "version": "3.15.0",
   "description": "Identity module for user management, authentication and authorization.",
   "main": "dist/index.js",
   "types": "types/index.d.ts",
@@ -28,11 +28,11 @@
   "author": "Cristian Incarnato & Drax Team",
   "license": "ISC",
   "dependencies": {
-    "@drax/common-back": "^3.10.0",
-    "@drax/crud-back": "^3.13.0",
-    "@drax/crud-share": "^3.13.0",
+    "@drax/common-back": "^3.14.0",
+    "@drax/crud-back": "^3.15.0",
+    "@drax/crud-share": "^3.14.0",
     "@drax/email-back": "^3.1.0",
-    "@drax/identity-share": "^3.0.0",
+    "@drax/identity-share": "^3.15.0",
     "bcryptjs": "^2.4.3",
     "graphql": "^16.8.2",
     "jsonwebtoken": "^9.0.2"
@@ -63,5 +63,5 @@
       "debug": "0"
     }
   },
-  "gitHead": "5f68eefbcb01c876471e387a815fee1040489c2c"
+  "gitHead": "a3bd3419f580b111b26da9e6be2e1cc4c75a056e"
 }